Zsh Mailing List Archive Messages sorted by: Reverse Date, Date, Thread, Author

Re: BUG: crafting SHELLOPTS and PS4 allows to run arbitrary programs in setuid binaries using system

X-seq: zsh-workers 39459
From: Oliver Kiddle <okiddle@xxxxxxxxxxx>
To: Mateusz Lenik <mlen@xxxxxxx>
Subject: Re: BUG: crafting SHELLOPTS and PS4 allows to run arbitrary programs in setuid binaries using system
Date: Tue, 27 Sep 2016 10:56:47 +0200
Cc: zsh-workers@xxxxxxx
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.co.uk; s=s2048; t=1474966607; bh=etV/5BWMxz/wcEZ64y+F6RpxbQyztPx6GcOpE7yGkMc=; h=cc:In-reply-to:From:References:To:Subject:Date:From:Subject; b=IfNclNwizo1pyNo6vvWjuGtQ9DiLNIrSj3T70xYA9BRs4U0i+E2B5BpwXTKM8HM+w5uQRuc2BLPaQGQrsaZNPhSTF5/MpLi/HpQDPrUVTGBCBxkqcmLyQ9chpZzFYXFyHuqv7ow7RSmr4WsuX481u2VZMdqV/1wVqLzTuPvBgdRNcwAMq4S0l4dHEj/4TYSvb0CEgiVGx6gTF4D+5fxUJhCFcKE9uHErzSy9Zu5As6jCCFBE2Jhoabcz2ma3dUWkSH5OWsslyAWp1JvB6YCYrRWJNl0oUXSjBE7uOjRLjdjT2rTma6DoSrHeIR44yZAiGzqSAQ3HvWkdgqbqAY1EVg==
In-reply-to: <CALDAOts+rgsuZfABkgVBphvY4CLcUiMLFA4xR0bUXPNxnhcHug@mail.gmail.com>
List-help: <mailto:zsh-workers-help@zsh.org>
List-id: Zsh Workers List <zsh-workers.zsh.org>
List-post: <mailto:zsh-workers@zsh.org>
Mailing-list: contact zsh-workers-help@xxxxxxx; run by ezmlm
References: <CALDAOts+rgsuZfABkgVBphvY4CLcUiMLFA4xR0bUXPNxnhcHug@mail.gmail.com>

Mateusz Lenik wrote:
> I just learned that bash fixed a vulnerability that also affects zsh. It
> allowed to run arbitrary programs by crafting SHELLOPTS and PS4 variables
> against setuid binaries using system/popen.

Given that zsh doesn't support the SHELLOPTS variable at all, it doesn't
make sense for zsh to be apparently vulnerable.

> Steps to reproduce:
> % gcc -xc - -otest <<< 'int main() { setuid(0); system("/bin/date"); }'

This attack is directed against the shell that system() runs, i.e.
/bin/sh and not the shell from which the setuid binary is invoked. Did
you have /bin/sh linked to zsh. If it was linked to bash then these
steps are merely reproducing the bash bug in bash.

Zsh also needs the prompt_subst option to enable command substitution in
PS4. Perhaps there's an argument for not importing PS4 from the
environment in certain cases anyway but I can't see any security issue.

Oliver

Follow-Ups:
- Re: BUG: crafting SHELLOPTS and PS4 allows to run arbitrary programs in setuid binaries using system
  - From: Peter Stephenson

References:
- BUG: crafting SHELLOPTS and PS4 allows to run arbitrary programs in setuid binaries using system
  - From: Mateusz Lenik

Messages sorted by: Reverse Date, Date, Thread, Author